Deny unknown clients and static ARPs

broncoBrad · Aug 28, 2012, 9:50 PM

I have an OPT network that I checked the Deny unknown clients, but last night I was able to connect to the network and it gave me an IP via DHCP and the MAC address was not registered in the static IP mappings for that interface. Why is this happening?

I have noticed the Static ARP option, but I'm worried about messing up the connections to the wireless AP. So the question is if I have a wired NIC that connects to a wireless AP and that AP has a manually assigned IP because it doesn't like receiving it's IP dynamically, can I put that IP and MAC address in that static mappings? Do I need to with Static ARP enabled?

Hope this all makes sense. Thanks!

wallabybob · Aug 28, 2012, 10:52 PM

@broncoBrad:

I have an OPT network that I checked the Deny unknown clients, but last night I was able to connect to the network and it gave me an IP via DHCP and the MAC address was not registered in the static IP mappings for that interface. Why is this happening?

You didn't restart DHCP server so it didn't notice the configuration change?

@broncoBrad:

I have noticed the Static ARP option, but I'm worried about messing up the connections to the wireless AP. So the question is if I have a wired NIC that connects to a wireless AP and that AP has a manually assigned IP because it doesn't like receiving it's IP dynamically, can I put that IP and MAC address in that static mappings? Do I need to with Static ARP enabled?

I don't see any reason why you couldn't but its not clear to me what you are trying to accomplish by doing so.

broncoBrad · Aug 29, 2012, 1:52 AM

The latter part of my last post was talking about doing static ARPs because the Deny Unknown Clients wasn't appearing to work. Also if I say Deny Unknown Clients that just stops clients from obtaining an IP for that network, but there's nothing stopping them from making a static IP for their NIC and connecting to the network is there?

wallabybob · Aug 29, 2012, 2:20 AM

@broncoBrad:

but there's nothing stopping them from making a static IP for their NIC and connecting to the network is there?

And (in many cases), there is nothing to stop them using the MAC address of their choice and consequently bypassing the protection you think you might get from using static IP and static ARP.

SeventhSon · Aug 29, 2012, 6:22 PM

Have a look at the IPGuard package

rjcrowder · Sep 15, 2012, 8:08 PM

@SeventhSon:

Have a look at the IPGuard package

I could never get IPGuard working correctly… ended up writing a script that created ipfw firewall (layer 2) rules to accomplish this. Let me know if you get it working correctly - I'd like to know how. Likewise, if you don't get it working, let me know and I'll send you my script.

mendilli · Sep 17, 2012, 2:20 PM

hi!

if you are familiar with coding, check my thread, if you can help me overcome my problem ı think ay can help you

my:thread:http://forum.pfsense.org/index.php/topic,53655.0.html